Rights of individuals

The Act gives rights to individuals in respect of personal data held about them by others. The rights are:

  1. Right of subject access (Sections 7 to 9).
  2. Right to prevent processing likely to cause damage or distress (Section 10).
  3. Right to prevent processing for the purposes of direct marketing (Section 11).
  4. Rights in relation to automated decision-taking (Section 12).
  5. Right to take action for compensation if the individual suffers damage by any contravention of the Act by the data controller (Section 13).
  6. Right to take action to rectify, or erase inaccurate data (Section 14).
  7. Right to make a request to the Commissioner for an assessment to be made as to whether any provision of the Act has been contravened (Section 42 of the Act).

We shall look in detail only at subject access rights.


Subject access rights

Any individual may make a (written) request to the data controller for details of what information is held about himself or herself. A standard fee is payable, but an individual is then entitled:

A data controller must comply with a subject access request within forty days of receipt of the request. If the controller needs to confirm the identity of the person making the request, a response must be issued within forty days of receipt of that confirmation.

The information given in response to a subject access request should be all that which is contained in the personal data at the time the request was received. However, routine amendments and deletions of the data may continue between the date of the request and the date of the reply. Hence the information revealed to the data subject may differ from the data which were held at the time the request was received, even to the extent that data are no longer held. However, the data controller must not tamper with the information just to make it acceptable to the data subject.

A particular problem arises for data controllers who may find that in complying with a subject access request they will disclose information relating to an individual other than the data subject who can be identified from that information. The Act recognises this problem and sets out only two circumstances in which the data controller is obliged to comply with the subject access request in such circumstances, namely:

If a data subject believes that a data controller has failed to comply with a subject access request in contravention of the Act, they may apply to Court for an order that the data controller complies with the request. An order will be made if the Court is satisfied that the data controller has failed to comply with the request in contravention of the Act.


Injunction and redress

The data subject may take out an injunction under Section 9 to prevent the data controller from processing or even collecting personal data. This can be done where processing is likely to cause substantial damage or distress which is unwarranted.

An individual who suffers damage due to contravention by a data controller can seek compensation under Section 11.


Important notice

What you read here is only a summary to introduce the concepts. You should not rely on it to build a legal case or safeguard your legal position. The University of Glamorgan and its employees cannot be held responsible for any legal or other redress due to errors in the notes. Seek professional legal advice before acting on what you read here.


UpOther topics Comments please to: dwfarthi@glam.ac.uk © 1999, University of Glamorgan